Authors: Robin Berthier, Michel Cukier
Addresses: Center for Risk and Reliability, Department of Mechanical Engineering, University of Maryland, MD 20742, USA. ' Center for Risk and Reliability, Department of Mechanical Engineering, University of Maryland, MD 20742, USA
Abstract: The goal of this paper is to evaluate the efficiency of connection characteristics to separate different attack families that target a single TCP port. Identifying the most relevant characteristics might allow statistically separating attack families without systematically using forensics. This study is based on a dataset collected over 117 days using a test-bed of two high interaction honeypots. The results indicated that to separate unsuccessful from successful attacks in malicious traffic: the number of bytes is a relevant characteristic; time-based characteristics are poor characteristics; using combinations of characteristics does not improve the efficiency of separating attacks.
Keywords: attack characteristics; honeypot; statistical analysis; data mining; network attacks; attack families; attack family separation; security; unsuccessful attacks; successful attacks.
International Journal of Security and Networks, 2009 Vol.4 No.1/2, pp.110 - 124
Published online: 23 Feb 2009 *Full-text access for editors Access for subscribers Purchase this article Comment on this article